Organizational Culture is Your Best Cyber Defense

Electric grid cybersecurity is not an easy problem to solve. The remote and disparate nature of the assets combined with the widespread use of legacy systems make identifying and mitigating points of vulnerability an incredible challenge. Unlike counterparts in the enterprise world that can deploy out-of-the-box cyber defense solutions in a contained environment, utilities are dealing with a litany of threats with no shortage of potential access points.

The technology shift that has taken place within the power industry over the past couple decades has led to a more stable and efficient power supply. There is now a plethora of sensors in the infrastructure that provide up to the moment data allowing technicians and engineers to respond nearly instantaneously to underperforming resources or abnormal situations. Yet these systems have also created numerous points of vulnerability.

To address the issue of cybersecurity in any sort of meaningful way, companies need to adopt a big-picture view. They need to assess which assets need to be protected, where they are in the network, how the workforce should interact with those assets and more. They then need to design a holistic solution that coordinates across silos to secure these assets. Industrial security today isn’t insular. It’s not homegrown. It’s collaborative and intentional.

Shifting the Conversation on Grid Security

Solving the cybersecurity conundrum in the power industry isn’t just a matter of obtaining a new or better mousetrap, it’s about shifting the conversation and fundamentally changing the approach. Power organizations are typically set up to operate within silos with different departments handling their responsibilities with little to no sharing of critical information. If you are truly serious about rooting out potential security threats that can undermine your facility, the first step is rallying all the key stakeholders to the cause and getting them moving in the same direction.

When it comes to security in the power industry, being compliant and capable of passing an audit needs to be the minimum standard, not the level you are working to achieve. While compliance initiatives can certainly seem overwhelming— NERC CIP standards alone cover over 40 different requirements—meeting these represents the starting point for an effective security practice, not the end goal.

To reach the level of security necessary to thwart today’s sophisticated attacks also requires an organizational understanding of your common enemy. When you work in the power industry, you are not matching wits with a run of the mill hacker. You are up against capable, well-funded adversaries in the form of nation states or criminal syndicates. Creating any line of formidable defense against these threats demands that the organization is working in lockstep towards this goal.

Security is often about mindset. Efforts such as the ‘if you see something, say something’ campaign may seem simplistic, but they work because they are simple and inclusive. Organizational security is a collective effort that is woven into the culture over time. It demands a mentality that empowers one and all to make a difference in guarding against potential threats. No one person, technology or team can completely solve the cybersecurity threat alone.